You may think your humble social media account is useless to multinational crime gangs, but you’d be wrong. Cybercriminals have dozens of ways to turn hijacked Facebook, Instagram, TikTok, or Twitter accounts into cash…or worse. You’d be amazed at how quickly friend-of-friend attacks escalate into massive crimes, so it’s important to keep your account safe. Be suspicious of ANY strange or surprising incoming message. In most cases, it’s best to do nothing.
I’m reminding you of this because I’ve just learned about a (fairly) new method criminals are using to steal social media accounts, all it takes is the kindness of friends. It’s so simple that it almost got me, and it actually got a friend of mine. And because there’s a little “truth” to the request, you can understand why victims comply with the criminals’ one, brief request – and inadvertently allow the hacker to use the password change/recovery function to hijack their account.
I’ll describe it. It’s a bit confusing, but a picture is worth a thousand words. I recently received this instant message from a friend on Instagram.
And indeed, I recently received an email from Facebook that looked like this:
The kicker is that this message came from a long-time friend of mine – or at least from his account. So I was inclined to help him. He had lost access to his account, which I know is vital to his small business. Plus, the message came late at night when I wasn’t really in my role as a cybersecurity journalist. So I opened the message and thought about sending him the code in response.
I also remembered that Facebook uses friends to assist with account recovery when a criminal hijacks an account. At least, that was the case until about a year ago. An innovative feature called “trusted contacts” used to be available when victims tried to regain access to their accounts. Essentially, Facebook/Meta would write to people in this trusted contacts list and ask them to vouch for someone who was locked out of their account. However, hackers learned how to exploit the feature, so Facebook discontinued it sometime in 2023.
However, since I vaguely remembered it, I agreed to my friend’s request. Luckily, instead of sending him the code I received via email from Facebook, I sent him a message using another software belonging to another company – not Facebook, Instagram or WhatsApp – to ask him what was going on.
And there, a few hours later, he told me that he had been hacked … just because he wanted to help a friend regain access to be account. And now, like so many account hijacking victims I’ve written about, he’s lost in the hell of trying to regain account access using Meta’s overdue process.
It’s no secret that I think companies like Facebook could do a lot more to protect their users. That starts with better customer service that takes care of issues when they arise. Remember, it took me half a year to regain access to my dog’s Instagram account after my phone was stolen. In this case, I have yet another dispute with Facebook. Take another look at the email I received. The subject line really works in the criminal’s favor. It just says “XXXX is your account recovery code.” That’s all you see in an email preview, and it would be easy to read that out loud to someone who asked for it. The *body* of the email indicates that the code was sent in response to “a request to reset your Facebook password.” But if a recipient was quickly trying to help a friend in need, they might not read this far.
By now you have seen through the hackers’ “game”. They wanted to get a code with which they could reset my Facebook account and hijack it. I was lucky, my friend was not.
What could a criminal do with access to his or my account? They could soon start offering fraudulent cryptocurrency “opportunities.” Or run a convincing “I need bail” scam. Or they would pool the account with thousands of other hijacked accounts for future fraud or disinformation campaigns. For example, one account could be used to spread a fake AI video of a presidential campaign. Pretty horrible things you never want to be a part of.
This attack is not new; I see mentions of it on Reddit dating back at least two years, so I hope this story seems like old news to you and you’re confident in your ability to see through this scam. But it seems very convincing to me, so I wanted to warn you as soon as possible.
Let me know if you’ve ever seen this or a similar attack in the wild. In the meantime, consider this a reminder that even if you think your corner of the internet universe is so small that no one would ever want to steal it, criminals still want to steal your digital identity.
:max_bytes(150000):strip_icc():focal(748x348:750x350)/Eli-Manning-Glen-Powell-082324-4cbd11798e344abd83410ec0e0339424.jpg "Cast, plot and everything we know so far")
